Navigating the ‘crossroads’ with open source firewalls.

Firewalls have been around in some form or another, from the early days of networks. A typical firewall protects the ‘trusted’ internal network from those who are on the ‘untrusted’ outside. Things have changed since the early days. The exploits make it all the way to applications through open ports on the firewall. Requirements to give access to partners, contractors, guests, and customers accessing self service portals, deem the notions of ‘trusted’ and ‘untrusted’ portions of the network useless. Today we stand at a crossroad between installed legacy infrastructure, that does not satisfy even present day security needs, and emerging technologies. Emerging technologies don’t focus on networks and hosts, but on protecting the ‘data’ and the ‘content’. Wisdom of the day is to let the traditional firewalls keep the riff-raff out by only allowing traffic to appropriate ip addresses and ports in, and let the more application specific techniques protect the ‘data’ and defend against application level denial of service attacks.

The cost of the switch from legacy to emerging technology will be large, but the balance is tipping such that the cost of not making the switch will be even larger. Open source can help with the costs by offering the emerging techniques developed by a community of cooperative experts. OpenADC will allow network security experts to write cost effective traditional firewalls that face the internet, and application developers to write the application specific firewalls that sit just in front of the application, such that the two work in unison to provide best protection for the application.

In rest of the posts in this category, I will survey existing open source firewalls — both the traditional network level firewalls, and application specific ones.

What has your experience been with open source firewalls? Let me know in your comments.